Network Intrusion Detection System Using Snort
6,035 views
22 slides
Sep 04, 2015
Slide 1 of 22
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
About This Presentation
Intrusion Detection System, Components, Types, Positioning of sensors, Protecting the IDS, Snort, Modes of Snort, Components of Snort, Basic Analysis and Security Engine (BASE), Wireshark, Writing Snort rules
Slide Content
Network Intrusion Network Intrusion
Detection System Using Detection System Using
SnortSnort
By-By-
Disha BediDisha Bedi
Detection System Using Detection System Using
SnortSnort
By-By-
Disha BediDisha Bedi
IntroductionIntroduction
In my project I developed a rule based network intrusion In my project I developed a rule based network intrusion
detection system using Snort.detection system using Snort.
BASE is used as the output module and Wireshark is BASE is used as the output module and Wireshark is
used as a packet analyzer to modify our rules from time used as a packet analyzer to modify our rules from time
to time. to time.
A combination of Snort and BASE makes it possible to A combination of Snort and BASE makes it possible to
log the intrusion detection data into a database and then log the intrusion detection data into a database and then
view and analyze it later, using a web interface.view and analyze it later, using a web interface.
The goal of this project is to implement network security The goal of this project is to implement network security
to a product of Siemens, to a product of Siemens, SPPA-T3000SPPA-T3000, which is the , which is the
instrumentation and control system that provides remote instrumentation and control system that provides remote
access to power plant management systems. access to power plant management systems.
In my project I developed a rule based network intrusion In my project I developed a rule based network intrusion
detection system using Snort.detection system using Snort.
BASE is used as the output module and Wireshark is BASE is used as the output module and Wireshark is
used as a packet analyzer to modify our rules from time used as a packet analyzer to modify our rules from time
to time. to time.
A combination of Snort and BASE makes it possible to A combination of Snort and BASE makes it possible to
log the intrusion detection data into a database and then log the intrusion detection data into a database and then
view and analyze it later, using a web interface.view and analyze it later, using a web interface.
The goal of this project is to implement network security The goal of this project is to implement network security
to a product of Siemens, to a product of Siemens, SPPA-T3000SPPA-T3000, which is the , which is the
instrumentation and control system that provides remote instrumentation and control system that provides remote
access to power plant management systems. access to power plant management systems.
Intrusion Detection SystemIntrusion Detection System
(IDS)(IDS)
Intrusion detectionIntrusion detection is a set of techniques and methods is a set of techniques and methods
that are used to detect suspicious activity both at the that are used to detect suspicious activity both at the
network and host level. network and host level.
Intruders have signatures that can be detected. Based Intruders have signatures that can be detected. Based
upon a set of signatures and rules, the intrusion upon a set of signatures and rules, the intrusion
detection system (IDS) is able to find and log detection system (IDS) is able to find and log
suspicious activity and generate alerts. suspicious activity and generate alerts.
Usually an intrusion detection system captures a packet Usually an intrusion detection system captures a packet
from the network, applies rules to its data and detects from the network, applies rules to its data and detects
anomalies in it. anomalies in it.
(IDS)(IDS)
Intrusion detectionIntrusion detection is a set of techniques and methods is a set of techniques and methods
that are used to detect suspicious activity both at the that are used to detect suspicious activity both at the
network and host level. network and host level.
Intruders have signatures that can be detected. Based Intruders have signatures that can be detected. Based
upon a set of signatures and rules, the intrusion upon a set of signatures and rules, the intrusion
detection system (IDS) is able to find and log detection system (IDS) is able to find and log
suspicious activity and generate alerts. suspicious activity and generate alerts.
Usually an intrusion detection system captures a packet Usually an intrusion detection system captures a packet
from the network, applies rules to its data and detects from the network, applies rules to its data and detects
anomalies in it. anomalies in it.
Components of IDSComponents of IDS
SensorsSensors are placed to listen to various activities in a are placed to listen to various activities in a
network or system. network or system.
ConsoleConsole monitors events and alerts. monitors events and alerts.
EngineEngine generates alerts if there is a suspicious generates alerts if there is a suspicious
activity in the monitored eventsactivity in the monitored events. .
SensorsSensors are placed to listen to various activities in a are placed to listen to various activities in a
network or system. network or system.
ConsoleConsole monitors events and alerts. monitors events and alerts.
EngineEngine generates alerts if there is a suspicious generates alerts if there is a suspicious
activity in the monitored eventsactivity in the monitored events. .
Types of IDSTypes of IDS
There are two types of IDS based on the choice of sensor There are two types of IDS based on the choice of sensor
position-position-
Host Intrusion Detection Systems (HIDS):Host Intrusion Detection Systems (HIDS):
A host based intrusion detection system (HIDS) monitors A host based intrusion detection system (HIDS) monitors
internal components of a computer. internal components of a computer.
Network Intrusion Detection Systems (NIDS):Network Intrusion Detection Systems (NIDS):
Network based intrusion detection systems (NIDS) analyzes Network based intrusion detection systems (NIDS) analyzes
network packets captured by one or more sensors, which are network packets captured by one or more sensors, which are
located in the network.located in the network.
There are two types of IDS based on the choice of sensor There are two types of IDS based on the choice of sensor
position-position-
Host Intrusion Detection Systems (HIDS):Host Intrusion Detection Systems (HIDS):
A host based intrusion detection system (HIDS) monitors A host based intrusion detection system (HIDS) monitors
internal components of a computer. internal components of a computer.
Network Intrusion Detection Systems (NIDS):Network Intrusion Detection Systems (NIDS):
Network based intrusion detection systems (NIDS) analyzes Network based intrusion detection systems (NIDS) analyzes
network packets captured by one or more sensors, which are network packets captured by one or more sensors, which are
located in the network.located in the network.
There are two types of IDS based on the choice of There are two types of IDS based on the choice of
detection enginedetection engine--
Anomaly DetectionAnomaly Detection
An anomaly based detection engine can trace deviations An anomaly based detection engine can trace deviations
from the normal state of a system, which is possibly from the normal state of a system, which is possibly
caused by an attack to the system. caused by an attack to the system.
Signature DetectionSignature Detection
Signature based intrusion detection engines try to detect Signature based intrusion detection engines try to detect
an attack from its fingerprints. an attack from its fingerprints.
detection enginedetection engine--
Anomaly DetectionAnomaly Detection
An anomaly based detection engine can trace deviations An anomaly based detection engine can trace deviations
from the normal state of a system, which is possibly from the normal state of a system, which is possibly
caused by an attack to the system. caused by an attack to the system.
Signature DetectionSignature Detection
Signature based intrusion detection engines try to detect Signature based intrusion detection engines try to detect
an attack from its fingerprints. an attack from its fingerprints.
Positioning of sensors Positioning of sensors
Behind the firewall:Behind the firewall:
IDS will not be able to detect every attack because IDS will not be able to detect every attack because
some parts of the packets belonging to the attack will some parts of the packets belonging to the attack will
be blocked by the firewall, thus IDS is unable to detect be blocked by the firewall, thus IDS is unable to detect
the signature of the attack. the signature of the attack.
Behind the firewall:Behind the firewall:
IDS will not be able to detect every attack because IDS will not be able to detect every attack because
some parts of the packets belonging to the attack will some parts of the packets belonging to the attack will
be blocked by the firewall, thus IDS is unable to detect be blocked by the firewall, thus IDS is unable to detect
the signature of the attack. the signature of the attack.
In front of the firewall:In front of the firewall:
IDS will monitor all attacks coming from the outside. IDS will monitor all attacks coming from the outside.
Thus it is able to detect signatures of the attacks.Thus it is able to detect signatures of the attacks.
IDS will monitor all attacks coming from the outside. IDS will monitor all attacks coming from the outside.
Thus it is able to detect signatures of the attacks.Thus it is able to detect signatures of the attacks.
Protecting the IDS itself Protecting the IDS itself
One major issue is how to protect the system on which your One major issue is how to protect the system on which your
intrusion detection software is running. If security of the intrusion detection software is running. If security of the
IDS is compromised, you may start getting false alarms or IDS is compromised, you may start getting false alarms or
no alarms at all. The intruder may disable IDS before no alarms at all. The intruder may disable IDS before
actually performing any attack.actually performing any attack.
There are 2 ways of protecting the IDS:There are 2 ways of protecting the IDS:
Snort on Stealth Interface:Snort on Stealth Interface:
Only listens to the incoming traffic but does not send any Only listens to the incoming traffic but does not send any
data packets out. data packets out.
Snort with no IP Address Interface:Snort with no IP Address Interface:
When the IDS host doesn’t have an IP address itself, When the IDS host doesn’t have an IP address itself,
nobody can access it.nobody can access it.
One major issue is how to protect the system on which your One major issue is how to protect the system on which your
intrusion detection software is running. If security of the intrusion detection software is running. If security of the
IDS is compromised, you may start getting false alarms or IDS is compromised, you may start getting false alarms or
no alarms at all. The intruder may disable IDS before no alarms at all. The intruder may disable IDS before
actually performing any attack.actually performing any attack.
There are 2 ways of protecting the IDS:There are 2 ways of protecting the IDS:
Snort on Stealth Interface:Snort on Stealth Interface:
Only listens to the incoming traffic but does not send any Only listens to the incoming traffic but does not send any
data packets out. data packets out.
Snort with no IP Address Interface:Snort with no IP Address Interface:
When the IDS host doesn’t have an IP address itself, When the IDS host doesn’t have an IP address itself,
nobody can access it.nobody can access it.
SnortSnort
Snort is primarily a rule-based IDS. It has the ability to Snort is primarily a rule-based IDS. It has the ability to
perform real-time traffic analysis and packet logging on perform real-time traffic analysis and packet logging on
Internet Protocol (IP) networks. Internet Protocol (IP) networks.
Snort reads the rules at the start-up time and builds Snort reads the rules at the start-up time and builds
internal data structures or chains to apply these rules to internal data structures or chains to apply these rules to
captured data. captured data.
Snort comes with a rich set of pre-defined rules to Snort comes with a rich set of pre-defined rules to
detect intrusion activity and you are free to add your detect intrusion activity and you are free to add your
own rules at will. own rules at will.
Snort is primarily a rule-based IDS. It has the ability to Snort is primarily a rule-based IDS. It has the ability to
perform real-time traffic analysis and packet logging on perform real-time traffic analysis and packet logging on
Internet Protocol (IP) networks. Internet Protocol (IP) networks.
Snort reads the rules at the start-up time and builds Snort reads the rules at the start-up time and builds
internal data structures or chains to apply these rules to internal data structures or chains to apply these rules to
captured data. captured data.
Snort comes with a rich set of pre-defined rules to Snort comes with a rich set of pre-defined rules to
detect intrusion activity and you are free to add your detect intrusion activity and you are free to add your
own rules at will. own rules at will.
Modes of SnortModes of Snort
Snort can be configured to run in three modes-Snort can be configured to run in three modes-
Sniffer modeSniffer mode, which simply reads the packets off of , which simply reads the packets off of
the network and displays them on the screen.the network and displays them on the screen.
Packet Logger modePacket Logger mode, which logs the packets to disk., which logs the packets to disk.
Network Intrusion Detection System (NIDS) Network Intrusion Detection System (NIDS)
modemode, which allows Snort to analyze network traffic , which allows Snort to analyze network traffic
for matches against a user-defined rule set and for matches against a user-defined rule set and
performs several actions based upon what it sees.performs several actions based upon what it sees.
Snort can be configured to run in three modes-Snort can be configured to run in three modes-
Sniffer modeSniffer mode, which simply reads the packets off of , which simply reads the packets off of
the network and displays them on the screen.the network and displays them on the screen.
Packet Logger modePacket Logger mode, which logs the packets to disk., which logs the packets to disk.
Network Intrusion Detection System (NIDS) Network Intrusion Detection System (NIDS)
modemode, which allows Snort to analyze network traffic , which allows Snort to analyze network traffic
for matches against a user-defined rule set and for matches against a user-defined rule set and
performs several actions based upon what it sees.performs several actions based upon what it sees.
Components of SnortComponents of Snort
Packet DecoderPacket Decoder:: Prepares packets for processing. Prepares packets for processing.
Preprocessors or Input PluginsPreprocessors or Input Plugins:: Used to detect Used to detect
anomalies, packet defragmentation and reassembly.anomalies, packet defragmentation and reassembly.
Detection EngineDetection Engine:: Applies rules to packets. Applies rules to packets.
Logging and Alerting SystemLogging and Alerting System:: Generates alert and Generates alert and
log messages.log messages.
Output ModulesOutput Modules:: Process alerts and logs and Process alerts and logs and
generate final output.generate final output.
Packet DecoderPacket Decoder:: Prepares packets for processing. Prepares packets for processing.
Preprocessors or Input PluginsPreprocessors or Input Plugins:: Used to detect Used to detect
anomalies, packet defragmentation and reassembly.anomalies, packet defragmentation and reassembly.
Detection EngineDetection Engine:: Applies rules to packets. Applies rules to packets.
Logging and Alerting SystemLogging and Alerting System:: Generates alert and Generates alert and
log messages.log messages.
Output ModulesOutput Modules:: Process alerts and logs and Process alerts and logs and
generate final output.generate final output.
Flow of packetsFlow of packets
Basic Analysis and Security Basic Analysis and Security
Engine (BASE)Engine (BASE)
BASE is the output module used in our IDS.BASE is the output module used in our IDS.
This application provides a web front-end to query and This application provides a web front-end to query and
analyze the alerts coming from a Snort IDS system. analyze the alerts coming from a Snort IDS system.
It is written in PHP.It is written in PHP.
Engine (BASE)Engine (BASE)
BASE is the output module used in our IDS.BASE is the output module used in our IDS.
This application provides a web front-end to query and This application provides a web front-end to query and
analyze the alerts coming from a Snort IDS system. analyze the alerts coming from a Snort IDS system.
It is written in PHP.It is written in PHP.
WiresharkWireshark
Wireshark is a network packet analyzer. Wireshark is a network packet analyzer.
A network packet analyzer will try to capture A network packet analyzer will try to capture
network packets and tries to display that packet network packets and tries to display that packet
data as detailed as possible. data as detailed as possible.
Wireshark is a network packet analyzer. Wireshark is a network packet analyzer.
A network packet analyzer will try to capture A network packet analyzer will try to capture
network packets and tries to display that packet network packets and tries to display that packet
data as detailed as possible. data as detailed as possible.
Writing Snort rulesWriting Snort rules
All Snort rules have two logical parts: All Snort rules have two logical parts:
rule header and rule options.rule header and rule options.
The The rule headerrule header contains information about what action a contains information about what action a
rule takes. It also contains criteria for matching a rule against rule takes. It also contains criteria for matching a rule against
data packets. data packets.
The general structure of a Snort rule header:The general structure of a Snort rule header:
The The rule optionsrule options part usually contains an alert message and part usually contains an alert message and
information about which part of the packet should be used to information about which part of the packet should be used to
generate the alert message. The options part contains generate the alert message. The options part contains
additional criteria for matching a rule against data packets.additional criteria for matching a rule against data packets.
All Snort rules have two logical parts: All Snort rules have two logical parts:
rule header and rule options.rule header and rule options.
The The rule headerrule header contains information about what action a contains information about what action a
rule takes. It also contains criteria for matching a rule against rule takes. It also contains criteria for matching a rule against
data packets. data packets.
The general structure of a Snort rule header:The general structure of a Snort rule header:
The The rule optionsrule options part usually contains an alert message and part usually contains an alert message and
information about which part of the packet should be used to information about which part of the packet should be used to
generate the alert message. The options part contains generate the alert message. The options part contains
additional criteria for matching a rule against data packets.additional criteria for matching a rule against data packets.
Use of Variables Use of Variables
Three types of variables may be defined in Snort:Three types of variables may be defined in Snort:
• • var • portvar • ipvarvar • portvar • ipvar
Defining variables:Defining variables:
var RULES_PATH /snort/rules/var RULES_PATH /snort/rules/
portvar MY_PORTS [22,80,1024:1050]portvar MY_PORTS [22,80,1024:1050]
ipvar MY_NET [192.168.1.0/24,10.1.1.0/24]ipvar MY_NET [192.168.1.0/24,10.1.1.0/24]
Implementing variables:Implementing variables:
alert tcp any any -> $MY_NET $MY_PORTS ( msg:"SYN alert tcp any any -> $MY_NET $MY_PORTS ( msg:"SYN
packet";)packet";)
include $RULE_PATH/example.ruleinclude $RULE_PATH/example.rule
Three types of variables may be defined in Snort:Three types of variables may be defined in Snort:
• • var • portvar • ipvarvar • portvar • ipvar
Defining variables:Defining variables:
var RULES_PATH /snort/rules/var RULES_PATH /snort/rules/
portvar MY_PORTS [22,80,1024:1050]portvar MY_PORTS [22,80,1024:1050]
ipvar MY_NET [192.168.1.0/24,10.1.1.0/24]ipvar MY_NET [192.168.1.0/24,10.1.1.0/24]
Implementing variables:Implementing variables:
alert tcp any any -> $MY_NET $MY_PORTS ( msg:"SYN alert tcp any any -> $MY_NET $MY_PORTS ( msg:"SYN
packet";)packet";)
include $RULE_PATH/example.ruleinclude $RULE_PATH/example.rule
Design and implementationDesign and implementation
Position of NIDS sensors:Position of NIDS sensors:
As our NIDS is Snort based which uses rules (or As our NIDS is Snort based which uses rules (or
signatures) to detect an intrusion, so it should be able to signatures) to detect an intrusion, so it should be able to
match the conditions mentioned in the rules to the match the conditions mentioned in the rules to the
signature of the intrusion. signature of the intrusion.
Thus we place the sensor in front of the firewall Thus we place the sensor in front of the firewall
because if we place it behind the firewall, firewall will because if we place it behind the firewall, firewall will
block some unwanted or harmful parts of the packet block some unwanted or harmful parts of the packet
and our snort based IDS will not be able to detect and our snort based IDS will not be able to detect
signature of the attack.signature of the attack.
Position of NIDS sensors:Position of NIDS sensors:
As our NIDS is Snort based which uses rules (or As our NIDS is Snort based which uses rules (or
signatures) to detect an intrusion, so it should be able to signatures) to detect an intrusion, so it should be able to
match the conditions mentioned in the rules to the match the conditions mentioned in the rules to the
signature of the intrusion. signature of the intrusion.
Thus we place the sensor in front of the firewall Thus we place the sensor in front of the firewall
because if we place it behind the firewall, firewall will because if we place it behind the firewall, firewall will
block some unwanted or harmful parts of the packet block some unwanted or harmful parts of the packet
and our snort based IDS will not be able to detect and our snort based IDS will not be able to detect
signature of the attack.signature of the attack.
Setup:Setup:
Firewall
(192.168.2.34 )
Switch in DMZ
(172.18.21.10)
Switch in internal system
(192.168.2.138)
System to control
Switch in DMZ
Terminal server
(Workbench)
(172.18.21.2)
Internal thin
clients
System to control
Internal switch
Application
server
NIDS
(192.168.2.39)
Internet
Internal NetworkDMZ
Firewall
(192.168.2.34 )
Switch in DMZ
(172.18.21.10)
Switch in internal system
(192.168.2.138)
System to control
Switch in DMZ
Terminal server
(Workbench)
(172.18.21.2)
Internal thin
clients
System to control
Internal switch
Application
server
NIDS
(192.168.2.39)
Internet
Internal NetworkDMZ
Work done:Work done:
Install, configure and start snort as well as MySql, BASE, Install, configure and start snort as well as MySql, BASE,
barnyard etc.barnyard etc.
Create three different files in /etc/snort/variables . Create three different files in /etc/snort/variables .
Declare variables for device ip address, network addresses Declare variables for device ip address, network addresses
and ports for different protocols in the three files and and ports for different protocols in the three files and
include these files in the snort configuration file. include these files in the snort configuration file.
Create different files in /etc/snort/rules that will contain Create different files in /etc/snort/rules that will contain
rules for different protocols. Include the path of these file rules for different protocols. Include the path of these file
in the snort configuration file.in the snort configuration file.
Also, include a file for the generic rules, which are written Also, include a file for the generic rules, which are written
to show alerts for all kinds of incoming packets, wanted to show alerts for all kinds of incoming packets, wanted
and unwanted.and unwanted.
Install, configure and start snort as well as MySql, BASE, Install, configure and start snort as well as MySql, BASE,
barnyard etc.barnyard etc.
Create three different files in /etc/snort/variables . Create three different files in /etc/snort/variables .
Declare variables for device ip address, network addresses Declare variables for device ip address, network addresses
and ports for different protocols in the three files and and ports for different protocols in the three files and
include these files in the snort configuration file. include these files in the snort configuration file.
Create different files in /etc/snort/rules that will contain Create different files in /etc/snort/rules that will contain
rules for different protocols. Include the path of these file rules for different protocols. Include the path of these file
in the snort configuration file.in the snort configuration file.
Also, include a file for the generic rules, which are written Also, include a file for the generic rules, which are written
to show alerts for all kinds of incoming packets, wanted to show alerts for all kinds of incoming packets, wanted
and unwanted.and unwanted.
Now create an ssh from your terminal to the NIDS Now create an ssh from your terminal to the NIDS
machine. machine.
Start snort using “sudo /etc/init.d/snortbarn start”. The Start snort using “sudo /etc/init.d/snortbarn start”. The
snort should show alerts for unwanted packets in BASE. snort should show alerts for unwanted packets in BASE.
Using wireshark, we first check if the packets have the same Using wireshark, we first check if the packets have the same
content as the content mentioned in our rules. If the content as the content mentioned in our rules. If the
content is same, then snort should raise alert for these rules content is same, then snort should raise alert for these rules
in BASE. Otherwise, if the contents are not same, the rules in BASE. Otherwise, if the contents are not same, the rules
are updated with respect to the new content of the packet.are updated with respect to the new content of the packet.
machine. machine.
Start snort using “sudo /etc/init.d/snortbarn start”. The Start snort using “sudo /etc/init.d/snortbarn start”. The
snort should show alerts for unwanted packets in BASE. snort should show alerts for unwanted packets in BASE.
Using wireshark, we first check if the packets have the same Using wireshark, we first check if the packets have the same
content as the content mentioned in our rules. If the content as the content mentioned in our rules. If the
content is same, then snort should raise alert for these rules content is same, then snort should raise alert for these rules
in BASE. Otherwise, if the contents are not same, the rules in BASE. Otherwise, if the contents are not same, the rules
are updated with respect to the new content of the packet.are updated with respect to the new content of the packet.
ResultResult
When we start snort and run different protocols such as When we start snort and run different protocols such as
ssh, rdp, rmi etc, BASE shows new alerts. ssh, rdp, rmi etc, BASE shows new alerts.
Only the generic rules in our rule set show alerts. These Only the generic rules in our rule set show alerts. These
are the alerts for the unwanted packets or intrusions in the are the alerts for the unwanted packets or intrusions in the
network.network.
In BASE we can filter the alerts on the basis of various In BASE we can filter the alerts on the basis of various
parameters and then try finding out a solution to prevent parameters and then try finding out a solution to prevent
these intrusions in the network in the future.these intrusions in the network in the future.
When we start snort and run different protocols such as When we start snort and run different protocols such as
ssh, rdp, rmi etc, BASE shows new alerts. ssh, rdp, rmi etc, BASE shows new alerts.
Only the generic rules in our rule set show alerts. These Only the generic rules in our rule set show alerts. These
are the alerts for the unwanted packets or intrusions in the are the alerts for the unwanted packets or intrusions in the
network.network.
In BASE we can filter the alerts on the basis of various In BASE we can filter the alerts on the basis of various
parameters and then try finding out a solution to prevent parameters and then try finding out a solution to prevent
these intrusions in the network in the future.these intrusions in the network in the future.
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 6,035
- Slides 22
- Favorites 14
- Age 3740 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views